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Abstract. The need for a small step semantics and more generally for a thorough documentation and 
understanding of Coq’s tacticals and PVS’s strategies arise with their growing use and the progressive 
uncovering of their subtleties. The purpose of the following study is to provide a simple and clear formal 
framework to describe their detailed semantics, and highlight their differences and similarities. 


1 Introduction 

Procedural proof languages are used to prove propositions with the assistance of a proof engine: the user 
wields the language to give the theorem prover instructions or tactics on the way to proceed throughout the 
proof. The instruction set roughly corresponds to the elementary steps of the formal logic inherent to the 
prover; a proof script is a collection of such instructions. The need for a way to express the proof scripts in 
a more sophisticated and factorized way emerges as soon as proofs get more complicated, resulting in very 
large proof scripts of elementary steps. This makes any proof reading or maintenance operation tedious if not 
impossible. Both Coq [1] and PVS [11], derived from the LCF theorem prover, introduce proof combinators 
in their proof language to powerfully compose elementary proof tactics: tacticals in Coq, strategies in PVS 1 . 
Though other provers such as Isabelle and NuPrl also implement tacticals, they have not been included in 
this work but a similar reasonning could probably apply. The following sections expose the semantics of the 
tacticals of Coq and PVS, using a small steps semantics and some appropriate structures and notations. 


2 Conventions and Structures 

Coq and PVS, as most procedural theorem provers, usually implement a goal oriented proof style. That is, 
given a proof goal and an elementary logical rule, the prover applies the logical rule backwards to the goal, 
yielding a set of potentially simpler subgoals. For example, given the proof goal T h0< lAJ < 1, the Coq 
instruction Intro ((split) in PVS) generates the subgoals T h 0 < X and T h X < 1. This corresponds to 
the application of the logical rule: 

AhB Ah C . 

— — — — — A-intro . 

Ah B AC 

In turn, some new rules are applied to the new subgoals, and the process stops when all the subgoals are 
refined enough to be trivially proven true. This repetition creates an arborescent structure of subgoals, 
which is called here the proof context Goals, i.e., sets of formulas of the form A \ , . . . , A n H B \ , . . . , B m , are 
commonly named sequents . 


2.1 The Proof Context 

The proof context is considered here as a collection of sequents organized in a tree of sequents, its leaves 
representing the sequents that are currently to be proven. A leaf, when modified by some command, becomes 
the parent of the sequents created by this command: the nodes of the tree of sequents are the “old” sequents. 

* This work was supported by INRIA FUTURS and the National Institute of Aerospace (under NASA Cooperative 
Agreement NCC-1-02043). 

1 Henceforth, when refering to the combinators in general, the name tactical will be used. 



70 


Florent Kirchner 


Thus, the tree of sequents keeps track of the proof progression. Incidentally, one has to consider the number 
of features that are related to the proof context (state of the proof, proven branches, goal numbering, etc.). 
Hence the semantics is made much clearer by blending a simplified object-oriented structure with the tree 
representation. This way, the proof context, the sequents, and the formulas are considered as non mutable 
objects including attributes , which correspond to their features, and functions or methods that read or modify 
these attributes and eventually return a new object. For instance, one of the attributes of the proof context 
object is the tree of sequent objects. Furthermore, a sequent object has a set of formula objects as attribute. 

Let us now define some notations. A sequent is represented as T h A, where JT is the antecedent and A 
is the consequent , each being a list of formulas 2 . Latin letters A, B> etc. represent individual formulas. We 
write O . m(x) for the invocation of the method m of object O with the list of parameters x . The objects 
here are non mutable, meaning that methods modifying an object return a new object. Thus, a method call 
O. m(x) is a synonym for the function call m(x, 0), and the objects could also be seen as records. The letter 
r denotes a proof context object; we distinguish a few particular proof contexts: 

- T is a proof context that is completely proven. 

- JL n stands for a failed proof context. The integer n codes for an “error level”, i.e., an indicator of the 
propagation range of the error. Errors are raised by tacticals and tactics, when they are called in an 
inappropriate situation (i.e., when none of the reduction rules of our semantics apply 3 ). 

- And 0 is the empty proof context, i.e., a proof context object hosting an empty tree. 

The equality test between a context and an empty, proven or failed context is the only equality test between 
contexts we authorize in our semantics. 

The description of the attributes and methods of r is as follows. 

- Attributes: 

• T.seq_tree: the tree of sequents. 

• r. active: pointer to the active subtree of sequents, i.e., the subtree on which the next command will 
take effect. In case it is a leaf, then r. active represents a sequent T h A, and we will write: r. jT h A 
to refer to such a proof context. 

• r. progress: this is a flag raised when the tree of sequents has gone through changes. Basically, when 
a tactic successfully applies, it raises the progress flag ; it is reseted by a specific, “Break”, command. 

- Methods: 

• r. addLeaves(Ti b A \ , . . . , T n h A n ): this method applies when the active attribute points to a leaf: 
it adds n leaves to the tree. In the new tree, the new sequents h Ai, i € {1, . . . , n}, will be leaves, 
and the former active leaf of the old tree will become their common parent node. 

• r. lower Pointer (i): moves the active pointer down (towards the root) in the tree, i > 0 being the 
depth of the move. 

• r. raisePointerToLeafQ: moves the pointer up to the first (i.e., innermost leftmost) unproven leaf of 
the tree. 

• r.pointNextSiblingQ: moves the pointer to the closest unproven leaf, sibling of the active sequent. 
If there is no such sibling, the pointer is set to a default empty value, which is represented by the 
method returning the empty proof context 0. 

• r.setProgress(h): sets the corresponding flag to b . 

• r.hasProgressed(): returns the value of the progress flag. 

• r.setLeafProvenQ: the active leaves, that is, the leaves of the active subtree, are labeled as proven. 
If there are no unproven sequents left, the proof is finished (i.e., r. setLeafProven() = T). 

• r.isActiveTreeProvenQ: returns true if all the leaves in the active subtree are labeled as proven, 
false otherwise. 

2 The semantics presented in this paper does not distinguish between sequents with permuted formulas. This limi- 
tation is not problematic since we focus on tacticals, which do not require formula-level knowledge. But it should 
be addressed if a detailed semantics of the tactics, in addition to the semantics of tacticals, was to be considered. 

3 The error system is a bit more complicated than this, especially in Coq. But this simplification is a valid, under- 
standable approximation of the provers’ behaviour. 
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The sequent and formula objects are illustrated in Fig. 1, which also provides some type information. The 
figure uses the UML formalism where a class notation is a rectangle divided into three parts: class name, 
attributes, and methods. The diamond end arrow represents an aggregation, that is, a relation “is part of”. 
The types presented here are basic and purely informative. 



Fig. 1. Proof context objects 


2.2 The Proof Script 

Given a set of tactics and of tacticals, a proof script is built by combining tactics with tacticals. For instance, 
in Coq, with the Intro and Assumption tactics, and the tactical one can build the proof script Intro ; 
Assumption . Such a proof script applies to a proof context r. We use p,p' to designate tactics and e,e' to 
denote proof scripts. 

The distinction between tactics and tacticals within the proof language is somewhat fuzzy, as they both 
modify the proof context object. Here we consider that the tactics are the elements of the proof language 
that attempt to modify the tree of sequents, by adding leaves to it. For example, in PVS, the (split) tactic 
applied to the sequent A h B A C behaves as the A-intro logical rule, adding two leaves A\~ B and A b C 
to the sequent tree. Thus the sequent tree 

A\~ B AC 


is transformed into the sequent tree 

A\~B AhC 
A\- B AC 


The tacticals represent the proof language’s control structures. In our semantics, they do not modify 
the tree of sequents directly but rather reduce into simpler proof scripts, and possibly modify some other 


t 
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attributes of the proof context. For instance in PVS, assuming a non-failed non-proven context r, the proof 
script (if nil (fail) (split)), formed of the tactical if and the two tactics (split) and (fail), evalu- 
ates in the (split) tactic: 


(if nil (fail) (split)) / r — 1 4 (split) /r . 

The actual modification of the proof context is performed by (split). 

In these examples the difference between tactics and tacticals appears quite clear, but we also note that 
the definition of a tactical implies the manipulation of tactics. Because of this dependency, the presentation 
of the semantics of the tacticals needs to be parameterized by the computation rule for tactics. 


3 The Semantic Framework 

The notion of small step or reduction semantics was introduced by Plotkin [9] in 1981. It consists in a set of 
rewriting rules specifying the elementary steps of the computation, within a context. The idea behind the 
present formalism is to use the reduction semantics of the imperative part of Objective ML, popularized by 
Wright and Felleisen [12], as an inspiration to deal with the interactions between the proof language and the 
proof context. 

As exposed in the previous section, the reduction rules for the tacticals are dependent on the way tactics 
are applied to proof contexts. The semantics of the tacticals is parametrized by that of the tactics. Hence 
a formal definition of a tactic application is needed before any semantic rules are given. Since tactics, when 
evaluated, modify the tree of sequents, we consider them as expressions which modify the proof context. A 
tactic p applied to a proof context r returns another proof context r’: 

p%r = r’ . 

The exact instanciations of this functional definition are of course system specific, and will be exposed in 
sections 4 and 5. 

Tacticals are combinators, therefore their evaluation within a proof script should return either a simpler 
proof script or a tactic. We denote this returned expression by e'. The reduction of tacticals can also modify 
the proof context t, thus a reduction rule in our semantics will look like: 

e j r e* / r’ , 

where e denotes a head reduction (i.e., reduction of the head redex). These rules are conditionnal rewriting 
rules, with the tactics ’ computation function as a possible parameter. For example, the Coq tactical 
applies its first argument to the current goal and then its second argument to all the subgoals generated. 
If the first argument proves the current goal or fails, applying another proof script to that failed or proven 
proof context does not make any sense, and the second argument is neglected : 

if Vn (i>i %r) ± -L n 
and -i(ui%r).isActiveTreeProven() , 
if 3n ( v\%r ) — l n 
or {v\%t). isActiveTreeProvenQ . 


vi ; e 2 / r -4 e 2 / (vi %r) 
v\ ; e 2 / r -4 vi / r 


The context rule 

e / r e 1 / r ? 

allows processing a proof script on which no head reduction applies. The definitions of the detailed reduction 
rules as well as that of the grammar of the context E depend highly on the language, and will be presented 
in the later prover-specific sections. 

Finally, the values of our semantics consist, for each language, in the set of its components we do not 
wish to reduce. Thus they will be defined as the subset of each languages that are tactics, augmented, in the 
case of Coq, by the recursively defined functional and recursive operations (see section 4.2). 


I 
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Note that this definition of the reduction semantics of the tacticals produces, when all tacticals have 
been reduced, something like v / r as a final result. This is unsatisfying since we would like to see this final 
tactic v applied to r (as in v%r ). Hence the use, for each langage, of a “Break” command that does this 
final evaluation. 


4 Coq 

In Coq the tactical commands are defined as an independent language, called Ctac 4 - Delahaye [4] gives the 
definition of this language and an informal big step semantics 5 . 


4.1 Syntax 

Let us define the syntax of a Coq proof script: 


expr . 


all expressions must end with 


And 


expr 


x identifiers 

p tactic 

k integer (£ iac -specific) 

t Coq term 

Fun x — > e 

Rec x\ X 2 — < > e 

(ei e 2 ) 

Let x\ — e\ And . . . And x n = e n In e 

Match t With ([£*] — t> ei)™ =1 

Match Context With ([ hpi h Pi] -> ei)” =1 

e\ Orelse e 2 

Do k e 

Repeat e 

Try e 

Progress e 

First [ei \ . . . \e n ] 

Solve [ei| . . . \e n ] 

Tactic Definition x e 
Meta Definition x e 
Recursive Tactic Definition x e 
Recursive Meta Definition x e 
ei 5 ^2 

e 0 ; [ei| . . . |e n ] . 


4.2 Semantics 

The values of the semantics are defined as: 

v p 

| Fun x —> e 
| Rec x\ x^ -*> e . 

4 Ctac also includes some commands that correspond to our definition of tactics, which we will see later; and some 
miscellaneous features that will not be presented in this paper. 

5 Whereas a small step semantics is defined by a set of reduction rules that apply within a reduction context, a big 
step semantics directly links an expression with its normal form. 
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The reduction rules for the tacticals follow. 

Applications These simply correspond to the /3-reduction rules of the A-calculus. 

(Fun x -t> e)(t>) / r e[x v] / r . 

(Rec fi-<> e)(t;) / r — ^ e[x «-h v][f (Rec f x e)] / r . 

Local variable binding The are bound to the values v* in the expression e. The bindings are not 
mutually dependent. 

Let xi = v\ And . . . And x n = v n In e / r — ^ e[xi , . . . , ar n v n ] / r . 

Term matching This tactical matches a Coq term with a series of patterns, and return the appropriate 
expression, properly instanciated. 

Let 0 be the binary operator defined as: 


(J\e\ 0 o 2 e 2 / r — 

-*• Vi / r 

if the substitution o\ is defined 
and V\e\ / r evaluates in v\\ 

— 

-> u 2 /r 

else, if o 2 is defined 
and <72^2 / r evaluates in v 2 ; 

- 

Idtac / r 

otherwise. 


For all i € {1, . . . , n), (J Pi +-*t is the substitution resulting from the matching of t by pi (undefined if pi 
does not match t ; matching by - always succeds and yields the empty substitution). 

The reduction rule then is: 

Match t With ([p»] -*• ej)f =1 / r -4 0” =1 a Pi ^ t e. / r . 

Context matching This tactical matches the current goal with a series of patterns, and returns the ap- 
propriate expression, properly instanciated. The order of the patterns is not significant ; since Coq uses 
constructive logic, the consequent A is limited to a single formula B. 

The original Coq rule allows for multiple antecedent patterns, which is a simple nesting of the presented 
form: 

Match Context With ([hpi t- pi\ -> ei)" =1 / r. (. . . Aj . . . (- B) — ► 

e i / r • 

If this does not succeed then the context progression rule is used instead: 

Match Context With ([ hpi h pi] -*> a ) " =1 / r. (. . . Aj . . . h B) 

Match Context With ([hpi h pi] e*) ” =1 / r. (. . . Aj-\ . . . h B) . 

Break The break command V triggers the evaluation of the tactics and then resets some parameters in the 
proof context before the application of the next proof script: 

v, / r (i;%r).raisePointerToLeaf().setProgress(false) . 

Sequence The sequential application of two tactics: v 2 is applied to all the subgoals generated by vi. This 
is the basic example of the use of conditional rules in conjunction with the % relation. 

if Vn > 0 (vi%r) ^ _L n 
and -y(v\%r). isActiveTreeProvenQ , 
if 3n > 0 (vi %t) = l n 
or (t; 1 %r).isActiveTreeProven() . 


vi ; e 2 I r -4 e 2 / (vi %r) 
vi ; e 2 / r -4 v ± / r 


i 
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N-ary sequence First applies v 0 and then each of the v* to one of the subgoals generated. The definition 
of this command uses an additional operator, -f, to allow potential backtracking. 

vo ; [ei | . . . |e n ] / r -4- ;7ei, . . . , e n / ( v 0 %r ). raisePointerToLeaf() 

if Vn > 0 (vq%t) ± _L n 

and ->(uo%r). isActiveTreeProven() 

u 0 ;[ei|...|e n ] / r -4 u 0 / r 

if 3n > 0 (u 0 %t) = l n 
or (uq%t). isActiveTreeProven() , 


and 


VrVi , e 2 . . . , e n / T ’ -4 ;?e 2 , . . . , e n / (v\ %r ’) . pointNextSibling() 

if Vn > 0 (ui%r’) ^ _L n , 

Tt^i , e 2 . . . , e n / t’ -4 (Fail 0) / r if 3n > 0 (ui %r’) = _L n , 

/ r’ —4 (Fail 0) / r if r’= 0 

or (u n %r 5 ). pointNextSibling() ^ 0 , 

/ r’ --4 Idtac / (u n %r’). lowerPointer(l) if r’/ 0 

and (u n %r’).pointNextSibling() = 0 . 


Branching This tactical tests whether the application of v\ fails or does not progress, in which case it 
applies u 2 . 

i?i Orelse e 2 / r -4 e 2 / r if (ui%r) = _L n 

or -<(i;i%r).hasProgressed() , 

Ui Orelse e 2 / r —4 Ui / r if (v\%r) _L n 

and (ui%r). hasProgressed() . 

Progression The progression test. Fails if its argument does not make any change to the current proof 
context. 

Progress v / r —^4 v / r if (v%r). hasProgressed() , 

Progress v / r —4 (Fail 0) / r if -i(v%t). hasProgressed() . 

Iteration Here A: is a primitive integer, only used in £ tac . This tactical repeats v , A: times, along all the 
branches of the sequent subtree. Here again we introduce an additional operator Do e . 

Do k e / r — 4 (Do e k e) / r , 

with 


Do 0 e / r —4 Idtac / r 
(Do e k v) / t —4 (Do e (A: — 1) e) / (v%r) 

if Vn > 0 (u%r) ^ _L n 
and ->(v%r). is Active TreeProven() 
(Do e k v) / r —4 v / r if 3n > 0 (u%r) = _L n 

or (u%t). is Active TreeProvenQ . 
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Indefinite iteration This is the indefinite version of the previous iteration. It stop s when a ll the applica- 
tions of v fail. As for the previous finite iteration, notice the additional operator Repeat e . 

Repeat e / r Repeat e e / r , 

with 

Repeat e v j r — Idtac / r if Bn > 0 (v%r) = _L n 
Repeat e v / r — ^ v / r if (v%r). isActiveTreeProven() 

Repeat e v / r — > Repeat e e / (v%r) 

if Vn > 0 (v%r) ^ _L n 

and ->(n%r). isActiveTreeProven() , 

Catch The Try tactical catches errors of level 0, and decreases the level of other errors by 1. 

Try v / r Idtac / r if ( v%r ) = _Lo 

Try v / t — [Fail (n — 1)] / r if 3n > 0 (v%r) = J_o 

Try v / r —^4 v / r if Vn > 0 ( v%r ) ^ _Lo • 

First tactic to succeed Applies the first tactic that does not fail. It fails if all of its arguments fail. 

First [] / r (Fail 0) / r 

First [vi\e 2 \ • • - |v n ] / r — ^ V\ j r if Vn > 0 ^ _L n 

First [vi |e 2 1 * • • |e n ] / r -4 First [e 2 | . . . |e n ] / r if 3n > 0 (vi%r) = ± n • 

First tactic to solve Applies the first tactic that solves the current goal. It fails if none of its arguments 
qualify. 

Solve [] / r-4Fail0/r 

Solve [vi |e 2 | . . . \e n \ j r v\ / r if (vi %r). isActiveTreeProven() 

Solve [vi |e 2 | — |v n ] / r -4 Solve [e 2 | . . . |e n ] / r 

if isActiveTreeProven() . 


4.3 Toplevel Definitions 

The semantics of the user-defined tactics and tacticals requires an extension of the meta-notation. Let M be 
a memory state object with its two trivial methods newTactical(name, description) and getTactical(name). 

ATnewTactical(x,e) — ► M{x «-h e} , 

if x & Dom(M). 

ATgetTactical(x ) — > M(x) . 

The declaration of new commands simply writes: 

(Recursive) Tactic Definition x := v / r A1.newTactical(x,t;) / r , 

(Recursive) Meta Definition x t / r ATnewTactical(x,£) / r , 


where the “Recursive” tag is optional. 

Thus when evaluating an expression on which none of the previous reduction rules apply, the following 
will be tried: 

x / r —^4 M. getTactical(x) / r . 
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4.4 Context 

The evaluation context is defined as: 

E::= [] 

I E. 

| E e | v E 
| Let x — E In e 
| E Orelse e | v Orelse E 
| E\e | v; E 
I VrE I VrE,e 2, . . . ,e n 
| Do e n E 
| Repeat e E 
| Try E 
| Progress E 

| Match E With (pi — > e*) ” =1 
| First[£|e 2 |...|e„] 

| Solve[£|e 2 |...|e„] 

| Tactic Definition x := E \ Meta Definition x := E 
| Recursive Tactic Definition x := E 
I Recursive Meta Definition x := E . 


4.5 Tactics 

The goal of this section is not to give the semantics for all the tactics but rather to demonstrate on a few 
specific examples how the application of simple tactics to a proof context can be expressed. 

In general tactics apply to a sequent tree, but will be exposed here only the case where r. active designates 
a leaf. When the pointer designates a subtree, the tactic is simultaneously applied to all the unproven leaves 
of this subtree. 

The following equations define partial functions, they are extended to complete functions by taking the failed 
proof context J_ 0 as a return value for any undefined point. 


Intro%r. r \~ (x : A)B = r. addLeafs (T, (x : A) h B). setProgess(true) . 

Clear x%r. r,(x : A) h B = r. addLeafs (f h B). setProgess(true) , 

with V(£j : Ai) £ T ■ x £ Ai. 


Assumption%r. T, (x : A) P A! = r. setLeafProven(). setProgess(true) , 

with A and A ' unifiable. 

Cut A%t. r h B — r. addLeafs (T P (x : A) • B, T P A), set Progess (true) . 
The identity was introduced in [4] as a tactical, but it behaves as a tactic: 

Idtac%T = r . 

The same holds for the error command: 


(Fail n)%r = _L n . 
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5 PVS 

PVS tactics and strategies are thoroughly described in [8] and [6], but as far as we know, there is no published 
small-step semantics of the strategy language- 


5.1 Syntax 

Here is the syntax of the subset of PVS’s tactics that will be considered: not all of PVS’s strategies are 

exposed here; those that appear are believed to be the most significant ones, the others being either special 

cases or slight variants of the aforementionned. 

Contrary to Coq, there is no symbol in PVS to mark the end of the proof command. This problem is 

dealt with by using a special symbol (^[): 

e ::= expr all expressions must end with “f” . 

And 

expr x identifier 

| p tactic 

| t Lisp term 

| (if t e x e 2 ) 

j (let (Oi £i)...(x n t n )) e) 

I (try e x e 2 es) 

| (repeat e ) 

| (repeat* e) 

| (spread e 0 (ei . . .e n )) 

| (branch e 0 (e x . . .e n )) 

| (try-branch eo (ei-..e n ) e n +i) 

5.2 Semantics 

There are no abstraction strategies in PVS therefore the values are defined as the tactics: 
v p . 

The reduction rules for the tacticals follow. 

Break % triggers the evaluation of the tactics and does the final proof context parameter reset: 

v f /r (v%T).raisePointerToLeaf().setProgress(false) . 

Lisp conditional A lisp argument t is evaluated to determine whether the first or the second tactic argu- 
ment is applied. 


(if t e\ e 2 ) / r e 2 / r if t — nil 

(if t e\ e 2 ) / t — * e\ /r if t ^ nil . 

Lisp variable binding The local variable binding strategy. The symbols x; are bound to the lisp expres- 
sions ti in the latter bindings and in e. 

(let ((xi t n )) e) / r 

e[Xi ti,..., X n <r^t n ] / T . 
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Backtracking This strategy combines a branching facility triggered by the progress condition, with an error 
catching functionnality. It applies v\ to the current goal, it this shows a progress then it applies v 2 , else 
it applies t> 3 . Moreover, if v 2 fails then this strategy returns (skip). This final backtracking feature calls 
for the use of an additional operator try r . 

Remark that the sequencial tactical then is simply defined as (then v\ v 2 ) = (try v\ v 2 v 2 ). 


(try v\ e 2 e 3 ) / r -4 (try r e 2 ) / ( v\%r ) if (vx%r). hasProgressed() 

and Vn > 0 (v\%r) ^ l n 
and isActiveTreeProven() 

(try v\ e 2 e 3 ) / r -4- (fail) / r if Bn > 0 ( V\%r ) = _L n 

(try v\ e 2 e 3 ) / r -4 e 3 / r if -i(t;i%r). hasProgressed() 

(try e 2 e 3 ) Jr -4 /r if (ui%r). isActiveTreeProven(), 

with 


(try r t;) / r’ -4 v / r’ if Vn > 0 (u%r’) 7^ JL n 

(try T r) / r’ -4 (skip) / r if 3n > 0 (t>%r’) = _L n • 

Indefinite iteration The tactic argument is applied to the current goal, if it generates any subgoals then 
it is recursively applied to the first of these subgoals. The repetition stops when an application of the 
tactic has no effect. 


(repeat e) / r -4 repeat" e / r , 

with 

repeat^ v / r -4 Idtac / r if 3n > 0 ( v%r ) = JL n 
repeat^ v / r -4 v / r if (v%r). isActiveTreeProven() 
repeat e v / r -4 repeatj e / (v%r). raisePointerToLeaf() 

if Vn > 0 (v%r) 7^ _L n 

and -»(u%r).isActiveTreeProven() , 


Like repeat, repeat* repeats v, but on all the previously generated subgoals. 

(repeat* e) / r -4 repeat* e e / r , 


with 

repeat* e v / r -4 (skip) / r if 3n > 0 (u%r) = _L n 
repeat* € v / r -4 v / r if (v%r). isActiveTreeProven() 

repeat* e v j r —4 repeat* e e / (t>%r) 

if Vn > 0 (v%t) 7 ^ _L n 

and ->(^%r).isActiveTreeProven() , 

N-ary sequence The N-ary sequence in PVS is similar to that of Coq, but here the number of generated 
subgoals need not be exactly n. 

(spread Vo (e x ...e n )) /r — 4 
spread^ 0 ’ ei, *" ,e ”ei, . . . , e n / (u 0 %r). raisePointerToLeaf() , 

and, with / representing the list i>o» , e n : 

spread^- ui , e 2 . . . , e n / r’ -4 
spread^e 2 , . . . , e n / (vi%t’). pointNextSibling() 

if Vn > 0 (vi %r’) 7^ JL n , 
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and 

spread^! , e 2 . . . ,e n / r’ — ^ (fail) / r if 3n > 0 (vi%r’) = _L n , 

and 

spread^- 0 ’ 61 ’ ,,eTl u n / r’ 

spread^ 0 ’ 61 ’ ■ ,en_1 t>o ? ei ? . . . ,e n _i /r if r’= 0 , 

and 

spread^-?; n / r 1 (skip) / lowerPointer(l) 

if r’/ 0 

and (u n %r’).pointNextSibling() — 0 , 

and 

spread£ 0,ei, ' ,en u n / r’ 

spread^ 0 ’ 61 ’ " ,eTl ’ (5fc ^ ) i;o,ei, . . . ,e n , (skip) / r 

if (u n %r’).pointNextSibling() ^ 0 , 

The (branch . . . ) method behaves likewise, but repeats the last element of the list on all the remaining 
siblings when necessary: 

(branch u 0 (ei-..e n )) / r 

branch^°’ ei, ”‘ ,en ei, . . . , e n / (t?o%r). raisePointerToLeaf() . 

The reduction rules are the same for branch^ 0 ’ 61 ’"’ 6 " as for spread^ 0 ’ 61 ’ ' ,en , but for the last rule: 

branch^- 0 ’ 61 ” ’ ’ en u n / r’ 
branch^- 0 ’ 61 ’ ' "’ en ’ eTl uo,ei, ...,e n ,e n / r 

if (u n %r’).pointNextSibling() ^ 0 , 

N-ary backtracking A combination of the try and the branch strategies, try-branch applies v\ to the 
current goal, and in case it generated subgoals it applies each of the v\ to one of the subgoals. Else it 
applies V 2 . As for try, this strategy catches any failure that would arise from the application of any of 
the v[. 

(try-branch Vo (e \ . . . e n ) e 7 ) / r — ^ 

(try-branch£ 0,Cl ’”‘ ,en ei...e n ) / (v 0 %r) 

if (u 0 %r).hasProgressed() 
and Vn > 0 (u 0 %r) ^ _L n . 

(try-branch v 0 (ei . . . e n ) e 7 ) / r (fail) / r if Bn > 0 (u 0 %t) = ± n 

(try-branch Vo (ei . . . e n ) e 7 ) / r e 7 / r if -i(uo%r). hasProgressed(), 

with 

(try-branch^ Uie 2 . . . e n ) / r’ — 

(try-branch^ e 2 . . . e n ) / (vi%r’). pointNextSibling() 

if Vn > 0 (vi%r’) # _L n , 
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and 

(try-branch^ V\e 2 . . . e n ) / r ? —4 (skip) / r 

if 3n > 0 (vi %r’) = _L n , 

and 

try-branch^ 0,ei ’’”’ en u n / r’ —4 
try-branch^°’ ei,4 ‘‘ ,e "“ 1 ei, . . . , e n _i / (uo%r) 
if r’— 0 

or (n„%r’). pointNextSibling() ^ 0 , 

and 

try-branch^u n /r 5 —4 (skip) / (u n %r’). lowerPointer(l) 

if 0 

and (v n %r’). pointNextSibling() — 0 , 

and 

try-branch" 0 ' ei ' r - : '**v n / r’ -4 

try-branch^- 0 ’ 61 Cn,Cn ci, . . . ,e n , e n / («o%r) 

if (v n %^ 5 )- pointNextSiblingQ ^ 0 , 


5.3 User-defined strategies 

As for Coq, the meta-notation needs to be enriched to cope with the user definitions. Let M be a memory state 
object storing the new strategies, and its methods set Strategy (name, description) and getStrategy(name). 
Unlike Coq though, PVS uses a specific file, pvs-strategies, to load user definitions, and does not allow 
for toplevel declarations. Moreover, these definitions split into two categories, rules i.e. atomic commands or 
blackbox , and strategies i.e. non-atomic commands or glassbox . 

PVS calls the setStrategy at launch to initialize the memory state, and only allows readings during runtime: 

jM.getStrategy(x) — » M{x) , 

where M(x) — ( Box e), Box is one of the two tags Glass or Black, and e is a proof script. The tags are not 
part of the real PVS syntax: they are introduced here to describe a phenomenon that is actually hidden in 
the implementation. 

When evaluating a tactic on which none of the previous reduction rules apply, the following will be tried: 

x / r -4 M. getStrategy(x) / r . 

Finally this calls for a definition of the semantics of the Glass and Black commands: 

(Black v) / r -4 (skip) / r if 3n > 0 (v%r) = _L n 
(Black v) / r -4 v / r if Vn > 0 (v%r) ^ _L n , 

(Glass v) / r —4 v / r . 
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5.4 Context 

Ev.= [] 

| (try E e 2 e 3 ) 

I try rE 

| (spread E (e\...e' n )) 

| spread^ 0 ’ 61 ’ ,e "j5 e* . . . e„ 

| (branch E (e[ ...e' n )) 

| branch^ 0 ’® 1 ’ ,Cn £J e* . . .e„ 

| (try-branch E (e\...e' n ) e 2 ) 

| try-branch^ 0 a...e n 
| (Glass E) 

| (Black E) . 

5.5 Tactics 

The same conventions will be used as for Coq’s tactics. Note that PVS does not use the error level: _L 0 is the 
only error possible. 

(f latten)%r. r b A D B = r. addLeaves (JT, A b B). set Progess (true) . 

(flatten)%r. r b A V B = r. addLeaves (r b A, B). setProgess(true) . 

(flatten)%r. r,A/\B\~C — 
t. addLeaves (P, B b C). setProgess(true) . 

(propax) %r. r,A\~B = t. leafProven(). setProgess(true) 

if A and B are syntaxically 
equal. 

(beta)%T. r b (Aar : t)(u) = r. addLeaves ( r b t[x u]). setProgess(true) . 

(skip)%r = r . 

(fail)%r = ± 0 • 

(skolem * (“a ”))%r. r, (3x : A) b B = 
r. addLeaves (r, A[x Ma]bB). setProgess(true) . 

(skolem * (“a”))%r. 7 1 b (Var : A) = 
r. addLeaves (J 1 b A[x a]). setProgess(true) . 
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6 Conclusion and Future Work 

We have presented a small step semantics for the core of both Coq and PVS’s tacticals, as well as for some 
simple tactics. This semantics seems correct with respect to the formal definition of both languages, provided 
for Coq by Delahaye’s definition of C tac [4], and for PVS by the Prover Guide [11]. A proof of correctness of 
our semantics in regard with these definitions is currently under way. Future work will also try to incorporate 
more advanced tactics to the system, although this will certainly prove more difficult, entailing the use of 
global proof environments and variables, o-equivalence classes, and most likely the integration of PVS-like 
automatic conversion methods. It might also be interesting to express tacticals from other languages (such 
as Isabelle or NuPrl) in this framework, and the idea of a correlation between proof tacticals and rewriting 
strategies might be worth studying. Nevertheless the formal basis of the semantics is easily and conservably 
extendable, and should allow for an efficient and - hopefully - not too complicated continuation. 

Finally, beyond its informative features, this work sets the very basis for an unified representation of PVS’s 
strategies and Coq’s tacticals, which would allow for proof portability, double-checking, prover- relevancy 
modularization, i.e., an overall improved flexibility and interoperability. 
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